Primary menu

Post navigation

xxxterm Web Browser

xxxterm is a minimalist web browser with sophisticated security features designed-in, rather than through an add-on after-the-fact. In particular, it provides both persistent and per-session controls for scripts and cookies, making it easy to thwart tracking and scripting attacks. developed with a goal to become a lightweight yet secure replacement for full featured browsers like Firefox. Initially it was developed by several OpenBSD users specifically for that operating system, but later was ported to Linux.

In additional to providing a familiar mouse-based interface like other web browsers, it offers a set of vi-like keyboard commands for users who prefer to keep their hands on their keyboard.

The default settings provide a secure environment. With simple keyboard commands, the user can “whitelist” specific sites, allowing cookies and scripts from those sites. It is ISC licensed.

Browse Securely
Web browsing exposes you and your computer to numerous threats. Two of the largest threats are the privacy threat of web tracking and the security threat of malicious scripts. xxxterm is designed to give you explicit control over the features exploited by those threats.

Web Tracking
Browse more securely by controlling which sites are allowed to set cookies on your computer.

Many websites track users. This is often innocuous, with sites tracking users simply to provide a consistent user experience, such as by preserving settings from one session to another. Others track users more broadly and for for more intrusive reasons, e.g. tracking across multiple sites to identify patterns of interest to present more profitable advertising. If you occasionally click on ads, you will quickly accumulate hundreds of cookies with information about your supposed interests. The result will be more ads targeted to those interests. The high value that advertisers place on this information prompts them to go to considerable effort to thwart any attempt to delete the tracking information.

The most important way web sites track users is with cookies—small pieces of information saved on your computer and passed back to the site on future visits.

Since there are valid reasons for sites to track their users, xxxterm provides the functionality to whitelist a particular site, allowing it to set cookies. In some cases this is merely convenient—allowing a blog to provide a comment form with the name, email address, and URL fields already filled in. Other times it is essential for the functioning of the website—allowing the site to associate related requests with a session ID.

If you use a site routinely, you may want to permanently whitelist the site (:cookie save). If you don’t expect to use the site again (or not for a long time), you can add it to the per-session whitelist. This will allow you to take advantage of the functionality enabled by the cookies, without exposing you to tracking of your browsing habits beyond this session. If you don’t need the functionality enabled by the cookies, you need not take any action.

In some cases websites track visitors to their site using DNS by embedding large numbers of hostnames in their pages that require a DNS lookup. Almost every browser has DNS prefetch enabled by default, meaning that upon loading a new page all of the hostnames referenced in the page are looked up using DNS whether a visitor follows the links or not. At many sites this means doing hundreds of DNS lookups per page loaded, with most of them returning NX responses. Similarly, many browsers perform full link prefetching by default, which is downloading the content of all the embedded links, not just looking up their DNS. xxxterm has both DNS and link prefetching disabled by default since these operations can be used to track users.

Scripting Attacks
Browse securely by controlling which sites are allowed to run scripts on your computer.

Many websites use scripts to provide functionality that would be slow or difficult to provide from the server. Modern web browsers attempt to limit the opportunity for those scripts to do harm, but there have been many instances of malicious scripts—including some cross-site scripting (XSS) attacks, where scripts from one site, such as a game site, make improper use of the user’s credentials on another site, such as a bank site.

So you can use the features enabled by scripts, xxxterm provides the functionality to whitelist specific sites, allowing its scripts to run on your machine.

If you use a site routinely, you may want to permanently whitelist the site (:js save). If you don’t expect to use the site again (or not for a long time), you can add it to the per-session whitelist. This will allow you to take advantage of the functionality enabled by the scripts, while limiting your exposure to malicious scripts to just this browing session. If you don’t need the functionality provided by the scripts, you need not take any action.

Dealing with Other Dangers
A fundamental design principle of xxxterm is to put the user in charge of his or her own security decisions.

For example, instead of the deciding for you which certificate authorities are trusted, xxxterm puts the user in control. If you save a site’s certificate, xxxterm will check it on all future visits, and present a visual indication if it matches.

Part of this is designing the tool to make it easy to avoid some common mistakes. In particular, xxxterm does not have the “feature” of treating a non-URL in the URL field as if it were a search string. This keeps the common mistake of accidentally pasting a password into the URL field from resulting in sending your password to the search engines